revokation -> revocation

2024-02-09 11:53:52 +01:00 · 2024-02-09 11:53:52 +01:00 · c15c528df8
commit c15c528df8
parent 082ed3b5f0
3 changed files with 10 additions and 7 deletions
--- a/pkg/apiserver/middlewares/v1/tls_auth.go
+++ b/pkg/apiserver/middlewares/v1/tls_auth.go
@ -20,7 +20,7 @@ import (
 type TLSAuth struct {
 	AllowedOUs      []string
 	CrlPath         string
-	revokationCache map[string]cacheEntry
+	revocationCache map[string]cacheEntry
 	cacheExpiration time.Duration
 	logger          *log.Entry
 }
@ -168,14 +168,14 @@ func (ta *TLSAuth) isCRLRevoked(cert *x509.Certificate) (bool, bool) {

 func (ta *TLSAuth) isRevoked(cert *x509.Certificate, issuer *x509.Certificate) (bool, error) {
 	sn := cert.SerialNumber.String()
-	if cacheValue, ok := ta.revokationCache[sn]; ok {
+	if cacheValue, ok := ta.revocationCache[sn]; ok {
 		if time.Now().UTC().Sub(cacheValue.timestamp) < ta.cacheExpiration {
 			ta.logger.Debugf("TLSAuth: using cached value for cert %s: %t", sn, cacheValue.revoked)
 			return cacheValue.revoked, nil
 		}

 		ta.logger.Debugf("TLSAuth: cached value expired, removing from cache")
-		delete(ta.revokationCache, sn)
+		delete(ta.revocationCache, sn)
 	} else {
 		ta.logger.Tracef("TLSAuth: no cached value for cert %s", sn)
 	}
@ -187,7 +187,7 @@ func (ta *TLSAuth) isRevoked(cert *x509.Certificate, issuer *x509.Certificate) (
 	revoked := revokedByOCSP || revokedByCRL

 	if cacheOCSP && cacheCRL {
-		ta.revokationCache[sn] = cacheEntry{
+		ta.revocationCache[sn] = cacheEntry{
 			revoked:   revoked,
 			timestamp: time.Now().UTC(),
 		}
@ -267,7 +267,7 @@ func (ta *TLSAuth) ValidateCert(c *gin.Context) (bool, string, error) {
 		revoked, err := ta.isInvalid(clientCert, c.Request.TLS.VerifiedChains[0][1])
 		if err != nil {
 			ta.logger.Errorf("TLSAuth: error checking if client certificate is revoked: %s", err)
-			return false, "", fmt.Errorf("could not check for client certification revokation status: %w", err)
+			return false, "", fmt.Errorf("could not check for client certification revocation status: %w", err)
 		}

 		if revoked {
@ -284,7 +284,7 @@ func (ta *TLSAuth) ValidateCert(c *gin.Context) (bool, string, error) {

 func NewTLSAuth(allowedOus []string, crlPath string, cacheExpiration time.Duration, logger *log.Entry) (*TLSAuth, error) {
 	ta := &TLSAuth{
-		revokationCache: map[string]cacheEntry{},
+		revocationCache: map[string]cacheEntry{},
 		cacheExpiration: cacheExpiration,
 		CrlPath:         crlPath,
 		logger:          logger,
--- a/test/bats/11_bouncers_tls.bats
+++ b/test/bats/11_bouncers_tls.bats
@ -90,7 +90,9 @@ teardown() {
 }

@test "simulate one bouncer request with a revoked certificate" {
+    truncate_log
    rune -0 curl -i -s --cert "${tmpdir}/bouncer_revoked.pem" --key "${tmpdir}/bouncer_revoked-key.pem" --cacert "${tmpdir}/bundle.pem" https://localhost:8080/v1/decisions\?ip=42.42.42.42
+    assert_log --partial "invalid client certificate: client certificate is revoked"
    assert_output --partial "access forbidden"
    rune -0 cscli bouncers list -o json
    assert_output "[]"
--- a/test/bats/30_machines_tls.bats
+++ b/test/bats/30_machines_tls.bats
@ -132,7 +132,7 @@ teardown() {
    '
    config_set "${CONFIG_DIR}/local_api_credentials.yaml" 'del(.login,.password)'
    ./instance-crowdsec start
-    rune -0 cscli lapi status
+    rune -1 cscli lapi status
    rune -0 cscli machines list -o json
    assert_output '[]'
 }
@ -147,6 +147,7 @@ teardown() {

    config_set "${CONFIG_DIR}/local_api_credentials.yaml" 'del(.login,.password)'
    ./instance-crowdsec start
+    rune -1 cscli lapi status
    rune -0 cscli machines list -o json
    assert_output '[]'
 }